X-Git-Url: https://projects.mako.cc/source/selectricity-live/blobdiff_plain/dfefbfcd5664f972c7a0d7deb53b8eaa683d4c81..a356aac56f17278e79372b4e63ff3e160eec7cd2:/vendor/plugins/white_list/README

diff --git a/vendor/plugins/white_list/README b/vendor/plugins/white_list/README
new file mode 100644
index 0000000..84bb1ee
--- /dev/null
+++ b/vendor/plugins/white_list/README
@@ -0,0 +1,29 @@
+WhiteList
+=========
+
+This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.  
+It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
+tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
+the extensive test suite.
+
+  <%= white_list @article.body %>
+
+You can add or remove tags/attributes if you want to customize it a bit.
+
+Add table tags
+  
+  WhiteListHelper.tags.merge %w(table td th)
+
+Remove tags
+  
+  WhiteListHelper.tags.delete 'div'
+
+Change allowed attributes
+
+  WhiteListHelper.attributes.merge %w(id class style)
+
+white_list accepts a block for custom tag escaping.  Shown below is the default block that white_list uses if none is given.
+The block is called for all bad tags, and every text node.  node is an instance of HTML::Node (either HTML::Tag or HTML::Text).  
+bad is nil for text nodes inside good tags, or is the tag name of the bad tag.  
+
+  <%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') } %>
\ No newline at end of file